HTTP Strict Transport Security or HSTS for short is a teconology that will tell people viewing your website that you have a SSL certificate installed, and that their web browser must upgrade all connections to use SSL. While this sounds like a very good idea you must be aware of the issues it may cause, and the requirements of using it.
What it does
Turning this setting on tells your server to advertise to all visistors that your server must use SSL for all communications, any links that direct a client to a non ssl page on your website (http), will automatically be re-written by the clients web browser to a ssl page (https).
It does this by adding a header to the reply for every http request, "Strict-Transport-Security", this document does not cover the technical specifics of this feature or how it works in detail, for more information please see Wikipedia.
Why this is important for you to understand
Turning on HSTS requires you to have a valid SSL certificate from a certificate authority installed on your server (or via CloudFlare), not a self-signed certificate. If you turn this setting on without having a SSL certificate installed visitors will not be able to access your website for quite some time. This is because their web browser will remember that your website must be served via SSL and will prevent them from accessing it without SSL.
Our servers specify the max-age (the period of time to remember this setting for) at 180 days as recommended by SSLLabs. This means that if your SSL certificate is not correctly configured, unless your visitor clears their browser cache, they will not be able to access your website for up to 180 after turning this option back off again.
You also need to ensure your SSL certificate does not expire, as this would also prevent access to your website.
How to turn it off if you decide not to use this
Simple, you may switch it off at any time, but if you intend to remove the SSL certicate from your website, or let it lapse, visitors that have used your website in the past will remember that you had HSTS enabled and they will be prevented from accessing your website until the max-age expires.
If you want to downgrade to remove SSL from your website you need to turn this setting off and then wait 180 days before removing or letting the certificate lapse.
Why you would want this
For some people it would be obvious as to why this would be useful to them, things such as processing credit card information, or even logging into your CMS administration area would then have a strict level of encryption enforced. But there is also another reason, recently search engines such as Google have started to give websites that use SSL a ranking boost in the search results to encourage website owners to upgrade to using SSL.
- SSL, HSTS
- 0 Users Found This Useful